Posted by: David Harley | February 22, 2018

Avast: Android APT delivered via Facebook

Avast: Social engineering used to trick Facebook users into downloading Advanced Persistent Threat disguised as Kik Messenger app.

The fake FB profiles from ‘attractive but fictitious women’ lure victims into downloading spyware the company calls Tempting Cedar Spyware.

Commentary by Danny Palmer for ZDnet here: Hacking group used Facebook lures to trick victims into downloading Android spyware

“At least three fake social media accounts posing as young women have encouraged victims into downloading highly invasive Android malware.”

David Harley

Posted by: David Harley | February 21, 2018

Text bomb, text bomb you’re my text bomb…

No, nothing to do with Tom Jones, really.

TOMÁŠ FOLTÝN for ESET: Apple defuses ‘text bomb’ bug

“Apple has fixed an irritating bug that was apt to wreak havoc on many of the company’s products when they attempted to display a single character from the alphabet of Indian language of Telugu […] The flaw was present in the operating systems on a broad swath of Apple’s devices – iPhones, iPads, Mac computers, Apple TV boxes, and smartwatches. It has now been addressed with iOS version 11.2.6 […] and with watchOS 4.2.3, tvOS 11.2.6, and macOS 10.13.3.”

David Harley

Posted by: David Harley | February 21, 2018

G Data on Android malware sample numbers

Christian Lueg for G Data: Some 343 new Android malware samples every hour in 2017. Which is quantified in the article as 3,002,482 samples over the whole year. That’s a little lower than in 2016, but he also points out:

“In the past year alone, Google and AV providers discovered over 700,000 apps that violate the guidelines of the Play store. This constitutes an increase of 70 percent compared to 2016. Among the malicious apps were copycats – apps with unacceptable content and malware which pose as legitimate apps.”

If Google comments on this post at all, which I doubt, it will probably point out that this is a very small number when you look at the entire Android ecology. But it still looks like a big number to me.

David Harley

Posted by: David Harley | February 16, 2018

Screenshots and sandboxes

John Gruber: The Threat to the Mac: The Growing Popularity of Non-Native Apps

Mac apps have been able to “see” the entire display ever since the Mac debuted. The Mac needs … the power for apps to shoot the user in the foot.

An example from the sandbox debate (also quoted by Gruber):

“Cocoa-based Mac apps are rapidly being eaten by web apps and Electron psuedo-desktop apps. For Mac apps to survive, they must capitalize on their strengths: superior performance, better system integration, better dev experience, more features, and higher general quality.

But the app sandbox strikes at all of those. In return it offers security inferior to a web app, as this post illustrates.”

The screenshot issue (from Felix Krause): Mac Privacy: Sandboxed Mac apps can record your screen at any time without you knowing

David Harley

Posted by: David Harley | February 15, 2018

Android ransomware info from ESET

ESET: blog article and pointer to paper. Android ransomware in 2017: Innovative infiltration and rougher extortion

“To find out more about ransomware on Android, the nastiest variants of the past year, as well as the most noteworthy examples since 2013, read the new whitepaper by ESET: Android Ransomware: From Android Defender To Doublelocker.

David Harley

Posted by: David Harley | February 8, 2018

iBoot firmware source leak

Chris Williams for The Register: Apple’s top-secret iBoot firmware source code spills onto GitHub for some insane reason

Williams says:

“The confidential source code to Apple’s iBoot firmware in iPhones, iPads and other iOS devices has been leaked into a public GitHub repo.”

There’s no need to panic: no-one is suggesting an immediate threat to iOS end users. But some of us will be very interested to see how this plays out.

David Harley

Posted by: David Harley | January 31, 2018

Google: defending against Android malware

Google waxes optimistic on its Android Developers Blog: How we fought bad apps and malicious developers in 2017. Andrew Ahn says:

We’ve also developed new detection models and techniques that can identify repeat offenders and abusive developer networks at scale. This resulted in taking down of 100,000 bad developers in 2017, and made it more difficult for bad actors to create new accounts and attempt to publish yet another set of bad apps.

For The Parallax, Seth Rosenblatt quotes Andrew Ahn as saying that:

…of all the malicious apps submitted to Google Play, only 1 percent of them make it past Google’s filters to consumers…

To put those figures into some sort of perspective, states that as of December 2017, 3.5 million apps were available from the Google Play store, though it’s not clear what percentage of apps submitted at any given time are malicious. However, it’s reassuring that Rosenblatt is also able to quote a spokesman as saying that:

…the company detects “most” malware successfully uploaded to Google Play “within a day.”

Graham Cluley, for ESET, notes that Google smashed over 700,000 bad Android apps last year but advises caution:

Despite the reports from Google’s Android security team of impressive improvements, the truth is that bad apps have often been found on the Google Play store, and barely a week goes by without reports of malicious Android apps being discovered and sometimes downloaded thousands of times.

I won’t dispute Ahn’s claim that “You have a lower probability of being infected by malware from Play than being hit by lightning” – I don’t have exact figures either way. But it’s clear that Google Play is probably significantly safer than alternative Android app stores.

David Harley

Posted by: David Harley | January 24, 2018

macOS and iOS fixes – Spectre and Meltdown

The Register. It’s 2018 and your Macs, iPhones can be pwned by playing evil music (Actually mostly about macOS and iOS patches including Spectre and Meltdown fixes.)

David Harley

Posted by: David Harley | January 20, 2018

macOS DNS hi-jacker

Patrick Wardle: Ay MaMi -› Analyzing a New macOS DNS Hijacker: OSX/MaMi.

Analysis of malware Patrick calls OSX/MaMi. Irritatingly, he presents hashes as screendumps rather than text, but if I have transcribed it correctly it’s SHA-256 5586be30d505216bdc912605481f9c8c7bfd52748f66c5e212160f6b31fd8571, detected at time of writing by 28 out of 58 engines, according to VirusTotal.

NB: VT doesn’t use all the functionality of the engines it uses, so it’s possible that some other engines will block/detect it even though they aren’t yet listed there, but the figures do at least give some idea of how many products have added detection since Patrick originally checked.

David Harley

Posted by: David Harley | January 16, 2018

Android Spyware

Securelist (Kaspersky) – Skygofree: Following in the footsteps of HackingTeam

David Harley

Older Posts »